In this article

MakeCert

In this article

The MakeCert tool creates an X.509 certificate, signed by the test root key or other specified key, that binds your name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.

Inserts a list of one or more comma-separated, enhanced key usageobject identifiers (OIDs) into the certificate. For example, -eku 1.3.6.1.5.5.7.3.2 inserts the client authentication OID. For definitions of allowable OIDs, see the Wincrypt.h file in CryptoAPI 2.0.

-hNumChildren

Maximum height of the tree below this certificate.

-lPolicyLink

Link to SPC agency policy information (for example, a URL).

-mnMonths

Duration of the validity period.

-n"Name"

Name for the publisher's certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format. For example: -n "CN=Test".

-nscp

The Netscape client authentication extension should be included.

-pe

Marks the private key as exportable.

-r

Creates a self-signed certificate.

-scSubjectCertFile

Certificate file name with the existing subject public key to be used.

-skSubjectKey

Location of the subject's key container which holds the private key. If a key container does not exist, one is created. If neither the -sk or -sv option is used, a default key container is created and used by default.

-skySubjectKeySpec

Subject's key specification. SubjectKeySpec must be one of three possible values:

Signature (AT_SIGNATURE key specification)

Exchange (AT_KEYEXCHANGE key specification)

An integer, such as 3

For more information, see the Note that follows this table.

-spSubjectProviderName

CryptoAPI provider for subject. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation.

-srSubjectCertStoreLocation

Registry location of the subject's certificate store. SubjectCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser (registry key HKEY_CURRENT_USER). CurrentUser is the default.

-ssSubjectCertStoreName

Name of the subject's certificate store where the generated certificate will be stored.

-svSubjectKeyFile

Name of the subject's .pvk file. If neither the -sk or -sv option is used, a default key container is created and used by default.

-synSubjectProviderType

CryptoAPI provider type for subject. The default is PROV_RSA_FULL. For information about CryptoAPI provider types, see the CryptoAPI 2.0 documentation.

-#SerialNumber

Serial number of the certificate. The maximum value is 2^31. The default is a value generated by the tool that is guaranteed to be unique.

-$CertificateAuthority

Type of certification authority. CertificateAuthority must be set to either commercial (for certificates to be used by commercial software publishers) or individual (for certificates to be used by individual software publishers).

-?

Displays the basic options.

-!

Displays the extended options.

Note

If the -sky key specification option is used in Internet Explorer version 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Because most users have either an AT_SIGNATURE key or an AT_KEYEXCHANGE key, this option does not need to be used in most cases.

Location of the issuer's key container. The default is the test root key.

-ikyIssuerKeySpec

Issuer's key specification, which must be one of three possible values:

Signature (AT_SIGNATURE key specification)

Exchange (AT_KEYEXCHANGE key specification)

An integer, such as 3

For more information, see the Note that follows this table.

-ipIssuerProviderName

CryptoAPI provider for issuer. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation.

-ivIssuerKeyFile

Issuer's private key file. The default is the test root.

-iynIssuerProviderType

CryptoAPI provider type for issuer. The default is PROV_RSA_FULL. For information about CryptoAPI provider types, see the CryptoAPI 2.0 documentation.

Note

If the -iky key specification option is used in Internet Explorer 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Because most users have either an AT_SIGNATURE key or an AT_KEYEXCHANGE key, this option does not need to be used in most cases.

File that contains the issuer's certificate. MakeCert will search in the certificate store for a certificate with an exact match.

-inIssuerNameString

Common name of the issuer's certificate. MakeCert will search in the certificate store for a certificate whose common name includes IssuerNameString.

-irIssuerCertStoreLocation

Registry location of the issuer's certificate store. IssuerCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser (registry key HKEY_CURRENT_USER). CurrentUser is the default.

-isIssuerCertStoreName

Issuer's certificate store that includes the issuer's certificate and its associated private key information. If there is more than one certificate in the store, the user must uniquely identify it by using the -ic or -in option. If the certificate in the certificate store is not uniquely identified, MakeCert will fail.